Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
725s -
max time network
726s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Nursultan 1.16.5 Crack.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
1800 seconds
General
-
Target
Nursultan 1.16.5 Crack.exe
-
Size
8.7MB
-
MD5
57ec49d438753f3bdfec6a616258b370
-
SHA1
a34f757f5f2bd4763f04206c0d0cd32ab4491117
-
SHA256
872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638
-
SHA512
88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a
-
SSDEEP
196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x000a000000023bc0-26.dat family_zgrat_v1 behavioral2/files/0x000b000000023bc1-146.dat family_zgrat_v1 behavioral2/memory/6784-154-0x00000000007B0000-0x0000000000B3E000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Users\\Public\\wscript.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Users\\Public\\wscript.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\portmonitor.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Users\\Public\\wscript.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\portmonitor.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\wscript.exe\", \"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Users\\Public\\wscript.exe\"" portmonitor.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6608 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7156 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5208 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7312 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6508 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7440 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6632 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7816 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5648 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7936 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6632 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6152 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7592 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5796 4696 schtasks.exe 181 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7048 4696 schtasks.exe 181 -
Blocklisted process makes network request 5 IoCs
flow pid Process 40 6232 Process not Found 80 6232 Process not Found 82 6232 Process not Found 84 6232 Process not Found 87 6232 Process not Found -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation Nursultan 1.16.5 Crack.exe -
Executes dropped EXE 64 IoCs
pid Process 4976 Nursultan 1.16.5 Crack.exe 664 Nursultan 1.16.5 Crack.exe 1080 leetcrack.exe 2612 leetcrack.exe 2088 3b73a6fa2092a350d795.exe 1332 Nursultan 1.16.5 Crack.exe 4724 3b73a6fa2092a350d795.exe 5112 leetcrack.exe 3716 portmonitor.exe 3832 portmonitor.exe 4512 Nursultan 1.16.5 Crack.exe 452 3b73a6fa2092a350d795.exe 4880 portmonitor.exe 4832 leetcrack.exe 4448 Nursultan 1.16.5 Crack.exe 5004 leetcrack.exe 4156 3b73a6fa2092a350d795.exe 4808 Nursultan 1.16.5 Crack.exe 5044 portmonitor.exe 3820 3b73a6fa2092a350d795.exe 1940 leetcrack.exe 1648 portmonitor.exe 3148 Nursultan 1.16.5 Crack.exe 3872 3b73a6fa2092a350d795.exe 952 Nursultan 1.16.5 Crack.exe 2208 portmonitor.exe 4440 leetcrack.exe 4420 leetcrack.exe 3552 Nursultan 1.16.5 Crack.exe 4332 leetcrack.exe 4336 3b73a6fa2092a350d795.exe 1352 portmonitor.exe 3584 Nursultan 1.16.5 Crack.exe 4868 leetcrack.exe 2892 3b73a6fa2092a350d795.exe 4992 Nursultan 1.16.5 Crack.exe 4200 portmonitor.exe 4404 leetcrack.exe 2552 3b73a6fa2092a350d795.exe 5112 portmonitor.exe 2336 Nursultan 1.16.5 Crack.exe 380 leetcrack.exe 3160 3b73a6fa2092a350d795.exe 764 portmonitor.exe 2776 Nursultan 1.16.5 Crack.exe 3192 leetcrack.exe 4932 3b73a6fa2092a350d795.exe 3248 portmonitor.exe 4820 3b73a6fa2092a350d795.exe 540 portmonitor.exe 1940 Nursultan 1.16.5 Crack.exe 1476 3b73a6fa2092a350d795.exe 4728 leetcrack.exe 3724 portmonitor.exe 2036 Nursultan 1.16.5 Crack.exe 3540 leetcrack.exe 4376 3b73a6fa2092a350d795.exe 3656 portmonitor.exe 1704 Nursultan 1.16.5 Crack.exe 1532 leetcrack.exe 380 3b73a6fa2092a350d795.exe 1900 portmonitor.exe 4572 Nursultan 1.16.5 Crack.exe 3724 3b73a6fa2092a350d795.exe -
Loads dropped DLL 1 IoCs
pid Process 8508 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a000000023bbf-14.dat upx behavioral2/memory/2088-27-0x00007FF7572F0000-0x00007FF757F1A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Google\\Temp\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Google\\Temp\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Public\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Public\\wscript.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default User\\cmd.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default User\\cmd.exe\"" portmonitor.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCD5713754FB3D4EC29D964E9135F2A48.TMP csc.exe File created \??\c:\Windows\System32\brcg55.exe csc.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Process not Found File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Process not Found -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Temp\wscript.exe portmonitor.exe File created C:\Program Files (x86)\Google\Temp\817c8c8ec737a7 portmonitor.exe File created C:\Program Files (x86)\Google\Temp\wscript.exe portmonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\assembly\GAC_32\portmonitor.exe portmonitor.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\00246fd6889a7c portmonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Process not Found -
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7312 schtasks.exe 7816 schtasks.exe 6632 schtasks.exe 5796 schtasks.exe 6608 schtasks.exe 7156 schtasks.exe 6152 schtasks.exe 4256 schtasks.exe 3024 schtasks.exe 5208 schtasks.exe 7048 schtasks.exe 7440 schtasks.exe 6632 schtasks.exe 5648 schtasks.exe 7936 schtasks.exe 7592 schtasks.exe 4964 schtasks.exe 6508 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595683256706489" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" chrome.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings portmonitor.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe 6836 portmonitor.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3936 chrome.exe 4060 chrome.exe 8508 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 6784 portmonitor.exe Token: SeDebugPrivilege 6844 portmonitor.exe Token: SeDebugPrivilege 6856 portmonitor.exe Token: SeDebugPrivilege 6740 portmonitor.exe Token: SeDebugPrivilege 6796 portmonitor.exe Token: SeDebugPrivilege 6868 portmonitor.exe Token: SeDebugPrivilege 6836 portmonitor.exe Token: SeDebugPrivilege 6812 portmonitor.exe Token: SeDebugPrivilege 6752 portmonitor.exe Token: SeDebugPrivilege 6820 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 6888 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 2308 portmonitor.exe Token: SeDebugPrivilege 6668 portmonitor.exe Token: SeDebugPrivilege 7620 portmonitor.exe Token: SeDebugPrivilege 7848 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 7348 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 7240 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 2912 portmonitor.exe Token: SeDebugPrivilege 6868 portmonitor.exe Token: SeDebugPrivilege 6076 portmonitor.exe Token: SeDebugPrivilege 4500 portmonitor.exe Token: SeShutdownPrivilege 4060 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found 8508 Process not Found -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 4976 640 Nursultan 1.16.5 Crack.exe 85 PID 640 wrote to memory of 4976 640 Nursultan 1.16.5 Crack.exe 85 PID 640 wrote to memory of 4976 640 Nursultan 1.16.5 Crack.exe 85 PID 4976 wrote to memory of 664 4976 Nursultan 1.16.5 Crack.exe 87 PID 4976 wrote to memory of 664 4976 Nursultan 1.16.5 Crack.exe 87 PID 4976 wrote to memory of 664 4976 Nursultan 1.16.5 Crack.exe 87 PID 640 wrote to memory of 1080 640 Nursultan 1.16.5 Crack.exe 234 PID 640 wrote to memory of 1080 640 Nursultan 1.16.5 Crack.exe 234 PID 640 wrote to memory of 1080 640 Nursultan 1.16.5 Crack.exe 234 PID 4976 wrote to memory of 2612 4976 Nursultan 1.16.5 Crack.exe 88 PID 4976 wrote to memory of 2612 4976 Nursultan 1.16.5 Crack.exe 88 PID 4976 wrote to memory of 2612 4976 Nursultan 1.16.5 Crack.exe 88 PID 1080 wrote to memory of 2088 1080 leetcrack.exe 90 PID 1080 wrote to memory of 2088 1080 leetcrack.exe 90 PID 664 wrote to memory of 1332 664 Nursultan 1.16.5 Crack.exe 91 PID 664 wrote to memory of 1332 664 Nursultan 1.16.5 Crack.exe 91 PID 664 wrote to memory of 1332 664 Nursultan 1.16.5 Crack.exe 91 PID 2612 wrote to memory of 4724 2612 leetcrack.exe 89 PID 2612 wrote to memory of 4724 2612 leetcrack.exe 89 PID 664 wrote to memory of 5112 664 Nursultan 1.16.5 Crack.exe 131 PID 664 wrote to memory of 5112 664 Nursultan 1.16.5 Crack.exe 131 PID 664 wrote to memory of 5112 664 Nursultan 1.16.5 Crack.exe 131 PID 1080 wrote to memory of 3832 1080 leetcrack.exe 93 PID 1080 wrote to memory of 3832 1080 leetcrack.exe 93 PID 1080 wrote to memory of 3832 1080 leetcrack.exe 93 PID 2612 wrote to memory of 3716 2612 leetcrack.exe 437 PID 2612 wrote to memory of 3716 2612 leetcrack.exe 437 PID 2612 wrote to memory of 3716 2612 leetcrack.exe 437 PID 1332 wrote to memory of 4512 1332 Nursultan 1.16.5 Crack.exe 95 PID 1332 wrote to memory of 4512 1332 Nursultan 1.16.5 Crack.exe 95 PID 1332 wrote to memory of 4512 1332 Nursultan 1.16.5 Crack.exe 95 PID 5112 wrote to memory of 452 5112 leetcrack.exe 96 PID 5112 wrote to memory of 452 5112 leetcrack.exe 96 PID 5112 wrote to memory of 4880 5112 leetcrack.exe 97 PID 5112 wrote to memory of 4880 5112 leetcrack.exe 97 PID 5112 wrote to memory of 4880 5112 leetcrack.exe 97 PID 1332 wrote to memory of 4832 1332 Nursultan 1.16.5 Crack.exe 98 PID 1332 wrote to memory of 4832 1332 Nursultan 1.16.5 Crack.exe 98 PID 1332 wrote to memory of 4832 1332 Nursultan 1.16.5 Crack.exe 98 PID 4512 wrote to memory of 4448 4512 Nursultan 1.16.5 Crack.exe 99 PID 4512 wrote to memory of 4448 4512 Nursultan 1.16.5 Crack.exe 99 PID 4512 wrote to memory of 4448 4512 Nursultan 1.16.5 Crack.exe 99 PID 4512 wrote to memory of 5004 4512 Nursultan 1.16.5 Crack.exe 100 PID 4512 wrote to memory of 5004 4512 Nursultan 1.16.5 Crack.exe 100 PID 4512 wrote to memory of 5004 4512 Nursultan 1.16.5 Crack.exe 100 PID 3832 wrote to memory of 4308 3832 portmonitor.exe 101 PID 3832 wrote to memory of 4308 3832 portmonitor.exe 101 PID 3832 wrote to memory of 4308 3832 portmonitor.exe 101 PID 3716 wrote to memory of 3340 3716 portmonitor.exe 102 PID 3716 wrote to memory of 3340 3716 portmonitor.exe 102 PID 3716 wrote to memory of 3340 3716 portmonitor.exe 102 PID 4832 wrote to memory of 4156 4832 leetcrack.exe 103 PID 4832 wrote to memory of 4156 4832 leetcrack.exe 103 PID 4880 wrote to memory of 4116 4880 portmonitor.exe 1084 PID 4880 wrote to memory of 4116 4880 portmonitor.exe 1084 PID 4880 wrote to memory of 4116 4880 portmonitor.exe 1084 PID 4448 wrote to memory of 4808 4448 Nursultan 1.16.5 Crack.exe 105 PID 4448 wrote to memory of 4808 4448 Nursultan 1.16.5 Crack.exe 105 PID 4448 wrote to memory of 4808 4448 Nursultan 1.16.5 Crack.exe 105 PID 4832 wrote to memory of 5044 4832 leetcrack.exe 106 PID 4832 wrote to memory of 5044 4832 leetcrack.exe 106 PID 4832 wrote to memory of 5044 4832 leetcrack.exe 106 PID 5004 wrote to memory of 3820 5004 leetcrack.exe 107 PID 5004 wrote to memory of 3820 5004 leetcrack.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"8⤵
- Executes dropped EXE
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"9⤵
- Executes dropped EXE
PID:952 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"10⤵
- Executes dropped EXE
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"11⤵
- Executes dropped EXE
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"12⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"13⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"15⤵
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"17⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"18⤵
- Executes dropped EXE
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"19⤵
- Checks computer location settings
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"20⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"21⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"22⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"23⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"24⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"25⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"26⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"27⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"28⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"29⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"30⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"31⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"32⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"33⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"34⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"35⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"36⤵
- Checks computer location settings
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"37⤵
- Checks computer location settings
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"38⤵
- Checks computer location settings
PID:5600 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"39⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"40⤵PID:6324
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"41⤵PID:6536
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"42⤵PID:6696
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"43⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"44⤵PID:6148
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"45⤵PID:6436
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"46⤵PID:6636
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"47⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"48⤵PID:6680
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"49⤵PID:6488
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"50⤵PID:6148
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"51⤵PID:6260
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"52⤵PID:7660
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"53⤵PID:8092
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"54⤵
- Checks computer location settings
PID:6304 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"55⤵PID:7516
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"56⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"57⤵PID:7176
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"58⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"59⤵PID:7700
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"60⤵PID:6752
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"61⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"62⤵PID:6936
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"63⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"64⤵PID:8024
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"65⤵PID:6896
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"66⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"67⤵PID:6520
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"68⤵
- Checks computer location settings
PID:6452 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"69⤵PID:8500
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"70⤵PID:8828
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"71⤵PID:9192
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"72⤵PID:8152
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"73⤵PID:8824
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"74⤵PID:7604
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"75⤵PID:7768
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"76⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"77⤵PID:8616
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"78⤵PID:6516
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"79⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"80⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"81⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"82⤵PID:8208
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"83⤵PID:6840
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"84⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"85⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"86⤵PID:6736
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"87⤵PID:7936
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"88⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"89⤵PID:8604
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"90⤵PID:6344
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"91⤵
- Checks computer location settings
PID:6640 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"92⤵PID:7568
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"93⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"94⤵PID:6524
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"95⤵PID:9176
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"96⤵
- Checks computer location settings
PID:7332 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"97⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"98⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"99⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"100⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"101⤵PID:9084
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"102⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"103⤵PID:6672
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"104⤵PID:6812
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"105⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"106⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"107⤵PID:7992
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"108⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"109⤵PID:8144
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"110⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"111⤵PID:6820
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"112⤵PID:7976
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"113⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"114⤵PID:6536
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"115⤵PID:8576
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"116⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"117⤵
- Checks computer location settings
PID:8420 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"118⤵
- Checks computer location settings
PID:6900 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"119⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"120⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"121⤵PID:7952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-